Open Bug 261326 (bugz_anti-spam_meta) Opened 20 years ago Updated 2 years ago

Bugzilla spam prevention (tracking anti-spam-spiders/harvesters bugs)


(Bugzilla :: Bugzilla-General, defect)

Not set




(Reporter: bugzillamozilla, Unassigned)


(Depends on 4 open bugs)


(Keywords: meta)

Fixing Bug 120030 improved the situation significantly, but as spam spiders
improve, it may not be enough. This bug is for tracking other spam-prevention bugs:

Bug 215439 - "Provide alternate method for bugzilla users to contact each other,
prevent spam by not showing email addresses"
Bug 218917 - "Allow login_name != email_address, so address isn't displayed
(anti-spam effect too)"
Bug 219021 - "Email addresses should only be displayed to logged in users"
Bug 145499 - "Privacy for email addresses"

Not directly related to Bugzilla, but also worth listing:
Bug 184456 - " is a spammer's paradise"

Keywords: meta
Summary: [meta] Bugzilla spam prevention (tracking anti-spam-spiders/harvesters bugs) → Bugzilla spam prevention (tracking anti-spam-spiders/harvesters bugs)
meta bugs depend on bugs, not block them.
No longer blocks: 145499, 184456, 215439, 218917, 219021
Depends on: 145499, 184456, 215439, 218917, 219021
Reassigning bugs that I'm not actively working on to the default component owner
in order to try to make some sanity out of my personal buglist.  This doesn't
mean the bug isn't being dealt with, just that I'm not the one doing it.  If you
are dealing with this bug, please assign it to yourself.
Assignee: justdave → general
QA Contact: mattyt-bugzilla → default-qa
I just got spammed...  from what I believe was recently posting on Mozilla Bugzilla.

This looks like it is an issue that is several years old.  Any progress?

#1 - Remove all visible E-Mail addresses from Bugzilla & force all correspondence to go through the "web forms".
#2 - Strip E-Mail addresses from messages being sent from Bugzilla
#3 - Limit the number of "replies" that an ordinary account can do in a day...  Perhaps limit them to 10, with a review process to allow additional replies.
#4 - I'm not sure it would be necessary, but one could limit e-mail addresses to a very small group of active participants.
#5 - Another option for dealing with E-Mail addresses would be to allow the creation of "friends lists" which would be verified by both people, and allow sharing of personal contact info.
#6 - Many web sites have gone to requiring putting in graphic codes to log in, or to send e-mails.  They are a big pain, but can limit fraudulent access.

I suppose I could volunteer to help, but I am a little "rusty" with my Javascript, and would need pretty broad system access.
This bug and dependants should get a LOT more attention!!!
More than 5 years later (and more for some dependent bugs), Bugzilla is still exposing personal email addresses to spammers with no way to change that harmful behaviour. I am getting more and more spam on my bugzilla (bmo) address. If I was a software developer looking for a bug tracking system, this bug alone would make me choose another product. It's a shame. Please do something about it, we really need complete email address privacy.
Severity: normal → critical
Depends on: 163551
Added to the list of dependent bugs (see comment 0):
Bug 163551 - Implement complete email address privacy
Alias: bugz_anti-spam_meta
(In reply to comment #4)

Leave the severity of this bug alone. Bugzilla 3.4 is much better at preventing spam as it now hides email addresses for logged out users. The fact that you don't like this bug doesn't allow you to change its severity.
Severity: critical → normal
Depends on: 536110
I think this bug is critical because it makes a security hole into the worlwide mail system.
(In reply to comment #6)
"Bugzilla 3.4 is much better at preventing spam as it now hides email addresses for logged out users."
Wrong ! If I were a spam harvester, I would create a bugzilla account, log in, make some simple comments to avoid detection of inactivity, read all the bugs in pseudo random order (to avoid detection) and harvest the email addresses...

Most of the forums have a register page in which I enter a pseudo, my email address (for administrative functions as notifications of new posts, lost password, etc.) and a password. On each post that I write there is my pseudo (not the email address) and a Personal Message button (PM in short) that the reader can push to send me an email without knowing my address. Spamming with the PM button is dangerous because if I complain to the administrator the offender account will be revoked ! The pseudo is unique on the forum site because an already in data base pseudo is not accepted at registration time. I have the same pseudo on practically all the forums sites : so it is not difficult to remember it...
 Why do you not copy this coding and reinvent the wheel with a dozen of linked bugs ?
No longer depends on: 184456
Slightly better :
-If I am not logged the source of " Jean-Marie COUPRIE 2011-04-12 06:33:00 PDT " does not include my email address. This is good !
-If I am logged the source of " Jean-Marie COUPRIE 2011-04-12 06:33:00 PDT " include my email address. This is very bad !
As stated in my previous post comment 8 a UN-detected logged spam harvester has access to my mail. By the way I have the knowledge needed to write a script that log to bugzilla and read a bug report obtain its source and extract the emails...
Also "CC List:" shows emails in clear text ! and can be extracted !
Depends on: 704753
Depends on: 934300
Depends on: 387531
No longer depends on: 387531
You need to log in before you can comment on or make changes to this bug.